<div dir="ltr"><div>Hi Guys,</div><div><br></div><div>I've configured an ipsec tunnel for 2 DC's. I'm seeing an issue and at the moment it doesn't appear to be causing too many problems, but I believe is likely an issue that will result in future problems.</div><div><br></div><div><br></div><div>With some advice from an expert in this subject, we did a full upgrade of the libreswan environment, and did a basic config like so:</div><div><br></div><div>Left Server config(EDI):</div><div><br></div><div>conn edi-fvc<br> auto=start<br> ikev2=yes<br> authby=rsasig<br> left=10.1.16.26<br> leftid=@edi
....[removed for public view] ....<br> leftsubnets=<a href="http://10.1.16.0/22,192.168.100.0/22">10.1.16.0/22,192.168.100.0/22</a><br> leftrsasigkey=0sAwEAAbzZRjv
....[removed for public view] .... qbuYQYg+t8zbCPZ/Lrf6L<br><br> right=
....[FVC PUBLIC IP removed for public view] ....<br> rightid=@<a href="http://fvc.freightgate.com">fvc.freightgate.com</a><br> rightsubnets=<a href="http://192.168.0.0/22,192.168.24.0/22">192.168.0.0/22,192.168.24.0/22</a><br> rightrsasigkey=0sAwEAAbcwz7GVxHm9
....[removed for public view] .... DQIVMDud2Zc0k=<br></div><div><br></div><div><br></div><div>Right Server config (FVC):</div><div><br></div><div>conn fvc-edi<br> auto=start<br> ikev2=yes<br> authby=rsasig<br> left=192.168.1.26<br> leftid=@fvc
....[removed for public view] ....<br> leftsubnets=<a href="http://192.168.0.0/22,192.168.24.0/22">192.168.0.0/22,192.168.24.0/22</a><br> leftrsasigkey=0sAwEAAbcwz7GVxHm9....[removed for public view] ....DQIVMDud2Zc0k=<br><br><br><br> right=
....[EDI PUBLIC IP removed for public view] ....<br> rightid=@edi
....[removed for public view] ....<br> rightsubnets=<a href="http://10.1.16.0/22,192.168.100.0/22">10.1.16.0/22,192.168.100.0/22</a><br> rightrsasigkey=0sAwEAAbzZRjv
....[removed for public view] .... qbuYQYg+t8zbCPZ/Lrf6L<br></div><div><br></div><div><br></div>In ipsec status on EDI, I get a status that looks good:<div><br></div><div>000 #7: "edi-fvc/1x1":4500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 4881s; REPLACE in 5602s; newest; eroute owner; IKE SA #10; idle;<br>000 #7: "edi-fvc/1x1" esp.a44a289e@
....[FVC PUBLIC IP removed for public view] .... <a href="mailto:esp.4cc9c32a@10.1.16.26">esp.4cc9c32a@10.1.16.26</a> tun.0@
....[FVC PUBLIC IP removed for public view] .... <a href="mailto:tun.0@10.1.16.26">tun.0@10.1.16.26</a> Traffic: ESPin=349KB ESPout=2MB ESPmax=0B <br>000 #9: "edi-fvc/1x2":4500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 4944s; REPLACE in 5633s; newest; eroute owner; IKE SA #10; idle;<br>000 #9: "edi-fvc/1x2" esp.d35b5f5f@
....[FVC PUBLIC IP removed for public view] .... <a href="mailto:esp.a83cf3b7@10.1.16.26">esp.a83cf3b7@10.1.16.26</a> tun.0@
....[FVC PUBLIC IP removed for public view] .... <a href="mailto:tun.0@10.1.16.26">tun.0@10.1.16.26</a> Traffic: ESPin=0B ESPout=0B ESPmax=0B <br>000 #8: "edi-fvc/2x1":4500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 4670s; REPLACE in 5624s; newest; eroute owner; IKE SA #10; idle;<br>000 #8: "edi-fvc/2x1" esp.5c42b219@
....[FVC PUBLIC IP removed for public view] .... <a href="mailto:esp.965f2f73@10.1.16.26">esp.965f2f73@10.1.16.26</a> tun.0@
....[FVC PUBLIC IP removed for public view] .... <a href="mailto:tun.0@10.1.16.26">tun.0@10.1.16.26</a> Traffic: ESPin=28MB ESPout=18MB ESPmax=0B <br>000 #6: "edi-fvc/2x2":4500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 4917s; REPLACE in 5563s; newest; eroute owner; IKE SA #10; idle;<br>000 #6: "edi-fvc/2x2" esp.1a4d115b@
....[FVC PUBLIC IP removed for public view] .... <a href="mailto:esp.bfdf2765@10.1.16.26">esp.bfdf2765@10.1.16.26</a> tun.0@
....[FVC PUBLIC IP removed for public view] .... <a href="mailto:tun.0@10.1.16.26">tun.0@10.1.16.26</a> Traffic: ESPin=2MB ESPout=21MB ESPmax=0B <br>000 #10: "edi-fvc/2x2":4500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 5004s; REPLACE in 5843s; newest; idle;</div><div><br></div><div><br></div><div><br></div><div><br></div><div>In FVC, I see this:</div><div>000 <br>000 #445: "fvc-edi/1x1":4500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 5346s; REPLACE in 5616s; newest; eroute owner; IKE SA #452; idle;<br>000 #445: "fvc-edi/1x1" esp.4cc9c32a@
....[EDI PUBLIC IP removed for public view] .... <a href="mailto:esp.a44a289e@192.168.1.26">esp.a44a289e@192.168.1.26</a> tun.0@
....[EDI PUBLIC IP removed for public view] .... <a href="mailto:tun.0@192.168.1.26">tun.0@192.168.1.26</a> Traffic: ESPin=2MB ESPout=349KB ESPmax=0B <br>000 #452: "fvc-edi/1x1":4500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in 5587s; REPLACE in 5857s; newest; idle;<br>000 #446: "fvc-edi/1x2":4500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 5368s; REPLACE in 5638s; newest; eroute owner; IKE SA #452; idle;<br>000 #446: "fvc-edi/1x2" esp.965f2f73@
....[EDI PUBLIC IP removed for public view] .... <a href="mailto:esp.5c42b219@192.168.1.26">esp.5c42b219@192.168.1.26</a> tun.0@
....[EDI PUBLIC IP removed for public view] .... <a href="mailto:tun.0@192.168.1.26">tun.0@192.168.1.26</a> Traffic: ESPin=18MB ESPout=28MB ESPmax=0B <br>000 #448: "fvc-edi/2x1":4500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 5377s; REPLACE in 5647s; newest; eroute owner; IKE SA #452; idle;<br>000 #448: "fvc-edi/2x1" esp.a83cf3b7@
....[EDI PUBLIC IP removed for public view] .... <a href="mailto:esp.d35b5f5f@192.168.1.26">esp.d35b5f5f@192.168.1.26</a> tun.0@....[EDI PUBLIC IP removed for public view] ....<a href="mailto:tun.0@192.168.1.26">tun.0@192.168.1.26</a> Traffic: ESPin=0B ESPout=0B ESPmax=0B</div><div>000 #443: "fvc-edi/2x2":4500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in 5307s; REPLACE in 5577s; newest; eroute owner; IKE SA #452; idle;<br>000 #443: "fvc-edi/2x2" esp.bfdf2765@
....[EDI PUBLIC IP removed for public view] .... <a href="mailto:esp.1a4d115b@192.168.1.26">esp.1a4d115b@192.168.1.26</a> tun.0@
....[EDI PUBLIC IP removed for public view] .... <a href="mailto:tun.0@192.168.1.26">tun.0@192.168.1.26</a> Traffic: ESPin=21MB ESPout=2MB ESPmax=0B <br>000 #810: "fvc-edi/2x2":500 STATE_V2_PARENT_I1 (sent IKE_SA_INIT request); RETRANSMIT in 24s; idle;<br>000 #810: pending CHILD SA for "fvc-edi/2x2"<br>000 #810: pending CHILD SA for "fvc-edi/2x2"<br>000 #810: pending CHILD SA for "fvc-edi/2x2"<br>000 #810: pending CHILD SA for "fvc-edi/2x2"<br></div><div><br></div><div><br></div><div><br></div><div>The 2 servers are behind NAT's on separate machines. One is a commercial firewall and the other is a standard iptables nat.</div><div><br></div><div>Is this going to cause issues and can anyone see a reason why this problem might exist? </div><div><br></div><div>And have I set this up correctly?</div><div><br></div><div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><table style="color:rgb(34,34,34);direction:ltr;border-collapse:collapse"><tbody><tr><td><table cellpadding="0" cellspacing="0" width="100%" style="width:1232.19px;padding-right:8px;line-height:normal"><tbody><tr><td style="font-family:Arial"><p style="font-size:13px;margin:0px">Thank you,</p><br></td></tr></tbody></table><table cellpadding="0" cellspacing="0" border="0" width="100%"><tbody><tr><td style="line-height:0;height:16px;max-width:600px"></td></tr></tbody></table><table cellpadding="0" cellspacing="0" style="font-family:Arial;line-height:1.25;padding-bottom:10px;color:rgb(0,0,0)"><tbody><tr><td style="vertical-align:top;padding-right:20px"><table cellpadding="0" cellspacing="0" style="width:65px"><tbody><tr><td></td></tr></tbody></table><b><font color="#6fa8dc"><img width="96" height="96" src="https://ci3.googleusercontent.com/mail-sig/AIorK4wQ01wwVRn7mjohN7wPTA5ar50dLZbM-vGxKF1Kq989EA7lC-as3_0AoG3gT7BrG6enwc5V0sg"><br></font></b></td><td valign="top"><table cellpadding="0" cellspacing="0" style="font-family:Arial"><tbody><tr><td style="line-height:1.2"><b><font color="#6fa8dc">Greg Borbonus</font></b><br><span style="font-size:12px;letter-spacing:0px;font-family:Arial;text-transform:initial;color:rgb(69,102,142)">General Manager</span></td></tr><tr><td style="line-height:0;padding-top:12px;padding-bottom:12px"><table cellspacing="0" cellpadding="0" style="width:260.5px"><tbody><tr><td style="line-height:0;font-size:1pt;border-bottom:5px solid rgb(69,102,142)"> </td></tr></tbody></table></td></tr><tr><td style="line-height:0"><table cellpadding="0" cellspacing="0"><tbody><tr><td><table cellpadding="0" cellspacing="0"><tbody><tr><td style="line-height:0;padding-bottom:6px"><table cellpadding="0" cellspacing="0" style="line-height:14px;font-size:12px;font-family:Arial"><tbody><tr><td style="font-family:Arial;font-weight:bold;color:rgb(69,102,142)"><span style="line-height:1.2">P</span></td><td width="5" style="width:5px;font-size:1pt;line-height:0"> </td><td style="font-family:Arial"><a href="tel:+639310006006" style="color:rgb(17,85,204)" target="_blank"><span style="line-height:1.2;color:rgb(33,33,33);white-space:nowrap">+</span></a>1 832 576 5956</td></tr></tbody></table></td><td style="line-height:0;padding-bottom:6px"><table cellpadding="0" cellspacing="0" style="line-height:14px;font-size:12px;font-family:Arial"><tbody><tr><td style="padding:0px 6px"><span style="font-family:Arial;font-weight:bold;color:rgb(33,33,33)"></span></td><td style="font-family:Arial;font-weight:bold;color:rgb(69,102,142)"><span style="line-height:1.2">W</span></td><td width="5" style="width:5px;font-size:1pt;line-height:0"> </td><td style="font-family:Arial"><br><a href="https://skilledpragati.com/" style="color:rgb(17,85,204)" target="_blank"><span style="line-height:1.2;color:rgb(33,33,33);white-space:nowrap">https://skilledpragati.com</span></a><br><br></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table><div></div></div></div></div></div></div>